[ar:Jay Healey]
[al:Def Con 24 Hacking Conference]
[ti:Feds and 0Days: From Before Heartbleed to After FBI-Apple]
[au:Jay Healey]
[by: DEF CON Communications (https://www.defcon.org)]
[00:00:00.07]
>> Now it's time to kick off our
first talk and this is a talk
[00:00:03.33]
that I'm very excited about,
uhm, I actually, uhm, kicked
[00:00:06.53]
Jay's, uh, talk of a couple of
years ago. [laughter] You guys
[00:00:10.27]
are in for a real treat! Uhm,
Jay Healey is, uhm, not only
[00:00:14.87]
has,has a quite a interesting
resume and I'm sure he's gonna
[00:00:18.93]
go through some of that but he's
going to talk about Feds and
[00:00:23.93]
0days and stuff [coughing] that.
Cause it's been kinda a wild
[00:00:29.67]
year for things like law and
policy and security. Uhm, so,
[00:00:35.40]
this is going to be a good
one... Let's give our first
[00:00:41.63]
speaker a big round of applause!
[applause] [cheering]
[00:00:45.20]
[background noise] [ahem] >>
Great, thanks very much! My
[00:00:46.57]
name's Jay Healey, I teach at
Columbia University. And I wanna
[00:00:50.13]
kick off with this for a second
because I don't teach Computer
[00:00:52.40]
Science at Columbia I teach in
the International Affairs and
[00:00:55.93]
Public Policy school and that's
kinda been my resume up to this
[00:01:00.67]
point. Uhm, uhm, that just got
mentioned, I've spent, I started
[00:01:04.73]
coming to DefCon 9, I've been
part of this community. A few
[00:01:07.90]
years ago Jeff Moss put me on
the, uh, uh, Dark Tangent put me
[00:01:10.87]
on the review board to, uh, to
look at, so that I could review
[00:01:13.30]
the talks to be, to be even more
part of the community. But I've
[00:01:16.13]
also been part of the policy
community for that time, so one
[00:01:19.53]
foot in DefCon, and, and, with
all of you guys but also very
[00:01:24.87]
much within that policy audience
- the very deep Washington DC
[00:01:28.10]
crowd. And that's what I teach
now, is trying to, trying to go
[00:01:30.90]
back and forth so that the
policy folks can understand what
[00:01:34.33]
you do and also transit for you
guys at policy so that we can
[00:01:39.30]
figure out. Are, are the things
being done at Washington DC and
[00:01:42.67]
other capitals in our interest?
And also try get through some of
[00:01:46.37]
the BS so that you can better
understand. So in today's talk
[00:01:50.07]
we're gonna look at these four
areas. And want you to come away
[00:01:53.37]
from this especially [coughing]
understanding the government's
[00:01:56.30]
process for looking at 0days,
how did they decide what to
[00:02:00.53]
disclose to the vendor and what
they're going to retain for
[00:02:04.07]
their own use. Second, the real
meat of this is how many 0days
[00:02:10.10]
does the government keep to
itself per year? Is it hundreds,
[00:02:13.70]
is it thousands, is it more than
that, is it less than that? So,
[00:02:16.70]
just bby a show of hands, who,
who imagine that the government
[00:02:19.50]
keeps, keeps hundreds of
vulnerabilities? [pause] Okay,
[00:02:23.40]
uh, uh, alright. Decent maybe, a
quarter of you. Thousands?
[00:02:27.03]
[pause] Wow! A lot more! Who
thinks it's maybe more than
[00:02:29.00]
thousands? [Pause] Great! Anyone
less than anything I've listed
[00:02:32.83]
there? [pause] Okay, uhm, I'm
gonna, I'm gonna cut to the end
[00:02:36.37]
of the talk - it looks like from
every piece of evidence that we
[00:02:39.73]
can find that it is much more
less than that. [audience noise]
[00:02:43.23]
Uhm, now I know you're not gonna
believe that. [chuckle]
[00:02:48.10]
[laughter] So, we're going, I'm
gonna go through every line of
[00:02:50.73]
evidence that we've gone through
to try and prove it and disprove
[00:02:53.17]
it. And let you make up your own
minds. Last, so if every year
[00:02:57.77]
they have got some how big is
that overall arsenal of retained
[00:03:00.40]
vulnerabilities that they, that
they're keeping for themselves?
[00:03:03.77]
So if the, how many does it keep
every year? Is about the flow,
[00:03:07.40]
how many, how many do they have
in the arsenal? Then what we
[00:03:10.97]
don't know, there's still some,
some big re- open research
[00:03:13.90]
questions and then some
recommendations for governments
[00:03:16.63]
as well as recommendations for
the rest of us. This is work
[00:03:19.67]
that was done by, uhm, kicked
off from a team of students from
[00:03:23.60]
Columbia University, School of
International and Public
[00:03:26.13]
Affairs. [cough] So we had five
different teams that were' uh,
[00:03:29.47]
looking across all different
aspects of this. So the student
[00:03:34.53]
research teams, uh, one of the
student's is here. We had folks
[00:03:38.30]
looking at everything from, uhm,
the 0Day market and can we find
[00:03:43.43]
what activity the government and
0day market, what about the
[00:03:46.70]
government and, uh, uh, role in
vulnerability disclosure
[00:03:49.07]
programs? Uhm, uh, diving right
in and trying to figure out the
[00:03:53.10]
VEP process. We had some folks
that, you know, had some
[00:03:56.10]
statistical background. They try
and look at it from statistics,
[00:03:58.83]
we tried to see, alright, what's
the use of actual 0days, uhm, in
[00:04:01.53]
the wild and what do we know
about other government programs?
[00:04:06.67]
[pause] So, I'm not in a, I'm
not gonna reference this slide
[00:04:09.57]
other than to say they put in a
lot of work, we've put in a lot
[00:04:12.87]
of work up to this point, uhm,
I'm gonna keep saying this again
[00:04:16.50]
and again - I don't know if we
got the right answer but we've
[00:04:20.07]
tried to run down every line of
evidence that we can. And we put
[00:04:23.70]
together, as you can see from
this timeline of the government
[00:04:26.00]
process - we've gotten to get a
lot of information on this. This
[00:04:29.47]
should be coming out in a
report, hopefully in the,
[00:04:31.97]
hopefully in the Fall. So,
whenever I can't, whenever I've
[00:04:35.20]
tried to make a judgement I've
listed "What's my level of
[00:04:37.63]
confidence" based on, uhm, based
on my judging of that evidence.
[00:04:42.43]
As someone that understands both
the technology side as well, as
[00:04:45.80]
well as the policy side. As I've
said I've tried to go through
[00:04:48.90]
every line of evidence that I
can, uh, we've hunted down as
[00:04:53.13]
far as we can. I'll present all
of that to you. [pause] [cough]
[00:04:56.67]
Uhm, you're still gonna, uhm,
[pause] There's a, there's
[00:05:02.07]
reasons why we're really
suspicious about government on
[00:05:04.83]
this. Uhm, they've given us a
lot of reasons to be suspicious
[00:05:10.30]
about this and suspect the
number is far higher. I'm
[00:05:14.00]
probably not gonna convince all
of you. I had a great talk last
[00:05:16.60]
night, uhm, at the speaker, at
the speaker's lounge with Don,
[00:05:19.70]
Don I don't know if you're here,
I couldn't convince Don.
[00:05:23.20]
[laughter] [audience noise] And,
uhm, uh, no matter, no matter
[00:05:25.30]
the amount of evidence, uhm, Don
wasn't going to be convinced.
[00:05:28.43]
And that's okay! [pause] Uhm,
I'm not gonna convince, I'm not
[00:05:31.47]
gonna convince a lot of you
about the answers that we come
[00:05:34.73]
up with. What I prefer you be
convinced about is that we did
[00:05:37.70]
do the best job we could to try
and come up with those correct
[00:05:40.67]
answers. And, if we did get it
wrong, that someone else can
[00:05:45.43]
come in and try and get a better
answer. So, last, when it comes
[00:05:48.97]
to credibility, uhm, as I said,
I've been coming since, uh, I
[00:05:53.50]
started coming at DefCon 9, I'm
on the DEfCon review board. Uhm,
[00:05:57.23]
I've gone to the folks that you
might consider credible on this,
[00:06:00.23]
I've talked to this about Dark
Tangent, to, to Dark Tangent, to
[00:06:02.83]
the EFF, to a lot of journalists
on, that have written on this.
[00:06:06.53]
And the names that you would
know. Uhm, I've also done this
[00:06:10.27]
to be try to, to try to be
credible, credible in the policy
[00:06:13.30]
audience. [coughing] Uhm, I came
out of this in, in military,
[00:06:16.97]
uhm, doing, uhm, doing mostly
defensive cyber stuff, I had
[00:06:21.27]
time at the Pentagon, I had time
at the White House - I've talked
[00:06:24.23]
to that crowd. And tried, and
the journalists that are, that,
[00:06:28.37]
uhm, have written the stories
and I've gone to all these
[00:06:31.17]
groups. From EFF to former White
House and current government
[00:06:36.23]
officials to say "Where am I
right? Where are we wrong? What
[00:06:40.40]
has our, has our research, uh,
seem to be, uhm, seem to be
[00:06:43.30]
off?" I've said, "Can we prove
that we're wrong? Is there any
[00:06:48.80]
way that we can try and, any
evidence to disprove this?". And
[00:06:52.20]
this is what we've come up with
so far. So, at least you'll
[00:06:55.43]
hopefully be convinced with what
we've done. Okay, way too much
[00:07:00.23]
preface... Uhm, so the
government has two main roles
[00:07:02.83]
when you're talking about the
vulns - and there are strong
[00:07:05.50]
tension and often bureaucratic
infighting within these two
[00:07:08.27]
communities. You've got the, the
agencies that love to use the
[00:07:13.10]
0days - they want to keep the
0days, generally, this is really
[00:07:16.43]
simplified. So you get DOD, the
intelligence community and law
[00:07:19.80]
enforcement agencies. Uhm, that
will likely keep these open as
[00:07:23.63]
we saw on Apple FBI so that they
can collect intelligence. So
[00:07:27.73]
they can, they can, uhm, do
their, do their job as they see
[00:07:31.63]
it. There's others that, who's,
who's, who's equity is say now
[00:07:35.80]
"We want these to be pretty much
all closed down". So for example
[00:07:40.40]
the department of commerce
[cough] has been, they've been
[00:07:43.00]
running a vuln, vulner,
vulnerability disclosure
[00:07:45.20]
dialogue, Alan Freedman there.
Uh, the, uh, the, uh, the
[00:07:50.40]
agencies that represent the
specific sector of critical
[00:07:53.60]
infrastructure like the treasury
department or the energy depart,
[00:07:57.03]
department have equities where
they want things disclosed back
[00:07:59.60]
to vendors. Uhm, and the DHS -
uhm, which, for the most part
[00:08:05.20]
want some defensive. There law
enforcement parts of DHS, uhm,
[00:08:09.37]
on the uh, but for the most part
the critical infrastructure
[00:08:12.03]
protection and cyber security
folks overwhelmingly want the,
[00:08:14.53]
want these closed down. And this
is important cause you see this
[00:08:18.20]
tension between these agencies,
the government is certainly not
[00:08:21.47]
of one mind on this. And this
does come in when we're thinking
[00:08:24.90]
of evidence later on. I also
wanna point out. There's three
[00:08:28.63]
different main kinds of
vulnerabilities, uhm, when
[00:08:31.17]
you're thinking of this from the
government's perspective. First
[00:08:33.50]
is the battlefield systems,
right? This talk isn't going to
[00:08:37.23]
deal with a Russian
surface-to-air missile
[00:08:41.40]
vulnerability, right? That is
not a commercial system that
[00:08:44.97]
would go into the program that
we're talking about here. Second
[00:08:50.17]
our closed and proprietary but
still commercial systems - so,
[00:08:54.30]
like, this is the things like
Siemens, you know, the
[00:08:56.10]
industrial control systems, you
know, the more internet of thi,
[00:08:59.60]
internet of things, uhm, devices
that are coming online. Last,
[00:09:04.03]
the one that we tend to think
about when we're thinking about
[00:09:06.40]
vulns is the open internet, you
know, the Microsofts, the
[00:09:11.73]
Ciscos, the Apple, the Apple
vulnerabilities. But keep in
[00:09:14.60]
mind we do have these three sets
and we're not going to be
[00:09:16.97]
talking about the closed
battlefield one. [pause] So,
[00:09:21.73]
we're gonna start the story.
Uhm, I know that the government
[00:09:24.43]
has been, uhm, using and sharing
vulnerabilities for at least 15,
[00:09:29.57]
probably more like 20, 20 years
going, going back to the '90s.
[00:09:33.37]
Uhm, some of you might have, uh,
seen comments from Richard
[00:09:37.70]
Bejtlich, he's now at FireEye
Mandiant, and he had been in the
[00:09:41.53]
air force in the '90s. And he he
gave this quote uhm, he was on
[00:09:45.63]
the defensive side of Air force
CIRT and they discovered a Cisco
[00:09:50.43]
vulnerability and they said
"Great, let's tell CISCO.". They
[00:09:54.90]
didn't have any type of process,
they said that's the right thing
[00:09:57.17]
to do. And the offensive part of
the air force at that time, in
[00:10:02.43]
San Antonio, [coughing], uhm,
said "What are you doing? Let us
[00:10:06.17]
know about that first, you can't
just tell the vendor.". So you
[00:10:09.90]
know, at least at this point in
the air force you had this, at
[00:10:11.97]
least there was no set policy
and you this default to the
[00:10:15.90]
offense, right? They said "We'll
decide", and it looked like they
[00:10:19.87]
were keeping it for offensive
purposes. Also, we know from
[00:10:23.60]
this time that, uh, the military
and the other agencies did
[00:10:27.80]
really horded it, right? If you
were air force and you had a
[00:10:30.07]
CISCO vulnerability, you didn't
tell the NAVY about that. You
[00:10:33.30]
didn't tell the NSA, you didn't
tell the ARMY, uhm, everyone
[00:10:36.70]
kept that capability himself
because it was something that
[00:10:40.60]
you, you could have and once you
share it to the NAVY they might
[00:10:43.37]
use it and then you can;t use it
any, you can't use it yourself
[00:10:46.20]
within in the air force. So,
really looked like it was quite
[00:10:48.67]
a bit hoarded. To try and fix
this the NSA started
[00:10:51.40]
“Information Operations
Technology Center”, probably
[00:10:54.80]
around '97, '98, it looks like,
to try and share capabilities.
[00:10:59.10]
Now they're talking about this
toolkit that probably was more
[00:11:02.37]
about exploits than
vulnerabilities, but of course
[00:11:05.17]
I'm, I'm sure it would have
included both. [pause] So
[00:11:09.33]
there's nothing from the White
House on this point up until
[00:11:12.10]
about two thou, well until July
2002. When they came out with a
[00:11:18.50]
classified National Security
Policy Directive, NSPD, NSPD 16.
[00:11:23.90]
Still classified, and it asser,
it asserted the presidential
[00:11:27.37]
authority to get involved in
this process. So, if you hear of
[00:11:30.57]
someone that says the government
doesn't know what they're doing
[00:11:32.70]
on offensive, there's no policy
to coordinate this - no, it's
[00:11:35.67]
actually quite a known policy,
it's almost, it's almost 15
[00:11:37.90]
years old. Uhm, and i've talked
to some of the folks involved,
[00:11:41.63]
they didn't say, they don't
remember it really dealing with
[00:11:44.20]
vulnerabilities. I don't think
vulnerabilities featured much in
[00:11:47.20]
that, it was more about, it
seems like it was more about
[00:11:49.83]
coordinating operations. And
again, prior to 2010 there's, it
[00:11:55.37]
doesn't seem like there's any US
government wide policy or
[00:12:01.00]
process to handle this. [cough]
Uhm, so even if there wasn't
[00:12:07.60]
anything government wide there
definitely was within NSA. Uhm,
[00:12:10.97]
they, they call it their
"Equities Process" was based on
[00:12:14.57]
their intel' gain-loss
assessment. If any, if any of
[00:12:16.87]
you know intelligence, you know,
the US interest can be better
[00:12:19.90]
served if we get this to the
vendor, than if we keep this to
[00:12:22.00]
ourselves but the decision was
entirely up to the director of
[00:12:26.17]
NSA. He didn't have to ask
anyone else in the US
[00:12:29.60]
government, he didn't have to
get advice from what we, from
[00:12:33.60]
what we know of it. Uhm, doesn't
seem like there was any, anyone
[00:12:37.77]
outside of NSA that was part of
this. There's was no way to get
[00:12:41.33]
anything in. Uhm, they're more
likely to keep it, this phrase
[00:12:44.47]
kept coming up a lot on the
research of NOBUS, more likely
[00:12:47.90]
to keep it if "no one but us" is
able to use this vulnerability.
[00:12:52.27]
If it is so obscure, so, so my
favorite example of NOBUS- since
[00:12:56.37]
we're in Vegas - is, uhm, what
was it? Ocean's 13, you know,
[00:13:00.60]
when Brad Pitt, they, they, hack
the, uhm, uh, the jackpot
[00:13:05.27]
machine and you have to drop the
coins in a certain manner to
[00:13:09.03]
make, to make the thing jackpot,
right? That's no one but us, no
[00:13:12.00]
one but the Ocean's 11 gang
would have know that you had to
[00:13:14.43]
drop the tokens into this
machine in a certain way. That's
[00:13:16.93]
kinda what we mean by NOBUS -
difficult to access, it's really
[00:13:21.20]
obscure, I mean, it's going to
take some, uh, difficult to
[00:13:24.53]
discover, really difficult to
try and exploit. Now I assume
[00:13:28.73]
but I don't know, that the other
agencies that tried, that like
[00:13:32.30]
to keep vulnerabilities had
their own internal process, uhm,
[00:13:35.37]
I assume CIA and justice did
but, uhm, we haven't been able
[00:13:38.73]
to discover that yet. So where
things really kick off is in
[00:13:44.00]
2010 and we know this now
because of, uh, documents from
[00:13:47.50]
the EFF, and by the way you'll
see a bit FN2 up
[00:13:50.03]
there...[laughter] I added all
the footnotes at the very end of
[00:13:53.30]
the talk, uhm, I'm gonna leave
my references up there so you
[00:13:56.67]
can take a photo of it if you're
interested in following up on
[00:13:59.10]
the ref, following up on the
references. So now you finally
[00:14:03.20]
had this document that came out
in 2010, uhm, form the offices
[00:14:08.53]
director of national
intelligence I believe. That
[00:14:11.27]
laid out here's the process
that's going to come out. Uhm,
[00:14:15.57]
NSA can still run it but you've
now got a formal process in
[00:14:19.80]
Washington C, DC, they call it
the "interagency" process. by
[00:14:23.37]
which others need to be brought
in if they're going to have an
[00:14:26.37]
equity in this issue. [pause] So
this is what that process looked
[00:14:31.37]
[00:14:33.50]
like... This is what was in
place from 2010 to 2014. So
[00:14:38.80]
note, at the top, the government
or it's contractors and I think
[00:14:42.97]
that's a, that's a nice loophole
that they were taking out there
[00:14:45.43]
to include contractors. Find
something that's newly
[00:14:48.17]
discovered and not publicly
known. So all of these, these
[00:14:52.70]
are key phrases in there. NSA is
the executive severe,
[00:14:56.47]
secretariat, this is good for us
because if NSA IAD which is the
[00:15:01.17]
defensive side of NSA, it wasn't
being run by TAO, which was the
[00:15:06.93]
offence, espionage part of the
NSA. So it was being run by the
[00:15:10.93]
defenders is actually a good
sign, uhm, that things were
[00:15:14.03]
going in the right direction.
Uhm, it would go to an equities
[00:15:18.27]
review board which would have
the senior people on it and they
[00:15:22.10]
would be the ones, the ones that
would make the final, uhm,
[00:15:24.97]
decision based on the
recommendations from the subject
[00:15:26.93]
matter expert. Uhm, there was,
and they would make the decision
[00:15:30.90]
whether to disclose to the
vendor or retain for their own
[00:15:34.37]
purposes. Now this is, uhm, it,
there was an appeals process but
[00:15:39.80]
it was retracted. So it's tough
to know exactly what the appeals
[00:15:42.83]
process was going, going to be.
[pause] So as much as I like
[00:15:48.17]
this, this is, this is a decent
process, right. If you were
[00:15:52.23]
going to implement this in your
organisation it's not a bad way
[00:15:56.30]
to do it. At least it's
relatively well laid out, you
[00:15:57.63]
can in fact flowchart it
[chuckle] and it does include
[00:16:01.17]
people outside of the agency in
question. So, as a policy guide,
[00:16:05.40]
this is, this is, okay. Uh, it
turns out that it wasn't really
[00:16:09.67]
ever fully implemented. So this
came out in 2010, uhm, footnote
[00:16:15.47]
three there is from one of my,
uhm,uh, former colleagues that
[00:16:20.43]
had been at the White House
during this time. THat he said
[00:16:24.10]
it became "dormant", that NSA
ran their own internal process,
[00:16:27.80]
didn't formally include the
outside agencies as much as we
[00:16:30.77]
would have wanted. Uhm, footnote
four is from the current head of
[00:16:35.83]
the cyber direct, directorate at
the NSA. So, Mi, a guy named
[00:16:39.27]
Michael Daniel, so he's the
president's top cyber advisor.
[00:16:42.63]
And he looks at both defence and
some offence, uhm, and he said,
[00:16:47.03]
uhm, "This policy at this time
wasn't fully implemented". So
[00:16:52.20]
they reinvigorated it in 2014
and I'll talk about that
[00:16:54.83]
reinvigoration in a second here.
And it looks like this decision
[00:16:59.10]
to reinvigorate was in part,
might have been in part driven
[00:17:03.90]
by Stuxnet. By the discovery
that Stuxnet used so many
[00:17:07.70]
Microsoft, uhm, 0days as well as
Siemens' vulnerabilities as
[00:17:12.93]
well. So, if you remember, I
talked about that tension
[00:17:15.23]
between the bureaucracies, uhm,
if this is true then, this might
[00:17:20.73]
have been one of those places
where you were seeing this
[00:17:22.33]
tension between, in the
bureaucracy. So that when the
[00:17:26.27]
way I imagine, and again, I
haven't found evidence on this,
[00:17:28.70]
this is just in my mind, you
could, you could imagine seeing
[00:17:32.90]
these defensive bureaucracies,
like DHS, or treasury, or
[00:17:39.00]
energy, or commerce, saying
"Holy cr*p! We just did what
[00:17:43.20]
with Stuxnet? We didn't know
about that? You were keeping all
[00:17:46.77]
of these and now our agencies
are having to deal with this? We
[00:17:49.77]
need to try and fix this!". And
so this tension within the
[00:17:52.93]
bureaucracy is an important
point, uh, I think might have
[00:17:56.73]
been an important point here,
but I'm also going to bring it
[00:17:59.27]
up later on because, what we
don't see on it, we don't see
[00:18:02.70]
that tension today. We don't see
this disagreement and I think
[00:18:05.83]
that that lack of evidence is
very interesting to me. Okay,
[00:18:08.57]
uhm, [coughing] So, after the
Snowden revelations the
[00:18:14.73]
president Obama puts together a
senior review group, including
[00:18:18.53]
people like Dick Clark and
others I understand are, are,
[00:18:21.00]
feel somewhat well. Uhm, to say
"What are the recommendations
[00:18:25.23]
that we can do to look at, uhm,
intelligence and other way based
[00:18:29.87]
on, uhm, the snowden
revelations?". One of those
[00:18:33.07]
recommendations, recommendation
number 30, was we need a default
[00:18:36.73]
disclosure policy and we need a
better process. [coughing]
[00:18:41.10]
Obama, ob, accepts those
recommendations January 2014,
[00:18:46.70]
saying one "Disclosed by
default". So the president
[00:18:51.20]
signed off on this piece of
paper that said "The US
[00:18:56.10]
government policy is that when
we get a vulnerability my intent
[00:19:02.20]
is that that will be disclosed
to the vendor, and if you don't
[00:19:05.90]
wanna disclose that, you want to
retain that, then it's up to you
[00:19:09.47]
to prove why that's a good
idea." Such public policy
[00:19:14.27]
defaults are really important.
Cause now you know the
[00:19:16.87]
president's intent and it's up
to the other agencies, right?
[00:19:21.17]
You can't say "Well, we didn't
know what the president wanted."
[00:19:23.37]
It well, you can but it becomes
a lot, lot tougher. Also, what
[00:19:29.07]
the president did was saying
this stuff is too damn important
[00:19:32.80]
to leave at any one agency.
[pause] So, we're gonna bring it
[00:19:38.10]
into the White House. This can't
be decided at just NSA anymore,
[00:19:43.70]
this now has to run out of the
NSC - the president's National
[00:19:47.37]
Security Council. We learned a
little bit more about this and
[00:19:52.67]
I'll go through that process and
I'll put a slide up that has
[00:19:54.97]
that flowchart in a second. Uhm,
we learned a little bit more
[00:19:58.77]
about this in congressional
testimony from Admiral Rogers,
[00:20:01.43]
when, uhm, when he was up to be
the, uhm, uh, I think it was
[00:20:06.33]
confirmation for cyber com
commander, March 2014. This is
[00:20:10.70]
the first time we really learn
about this default, uh, default,
[00:20:13.30]
disclose by default policy, was
in his testimony. We didn't, we
[00:20:18.30]
didn't know in the community
about Obama's decision until he
[00:20:21.00]
talked about it here. I also
thought that it was interesting,
[00:20:23.50]
you can see the bits I
highlighted subtly there. "NSA
[00:20:26.07]
always employed that principal",
he said. He talked about, he did
[00:20:30.33]
a decent job of talking a little
bit about that process in
[00:20:33.50]
highlighting it's not just
software vulnerabilities but
[00:20:36.07]
hardware vulnerabilities as
well. And that if they do decide
[00:20:40.43]
to retain it they attempt to
find other ways to mitigate the
[00:20:43.57]
risks. So, for example, if you
were gonna, if you were gonna
[00:20:46.57]
try and retain it, uhm, maybe
you try and you use, uhm, a more
[00:20:50.43]
significant collection to see if
anyone else is finding this bug.
[00:20:53.20]
And if someone else finds the
bugs then you'll, then you'll
[00:20:55.17]
decide to tell the vendor. Uhm,
and so this was really trusting
[00:20:59.63]
for us, and it helped, on a, a
pol, as a policy guy, what
[00:21:03.07]
people tell congress usually
matter. Uhm, usually if a
[00:21:06.77]
staffer thinks a person is full
of it, the congressional staffer
[00:21:10.87]
thinks the person's full of it
they'll go through and they'll,
[00:21:13.77]
they'll leak in saying "Look
they testified this but we know
[00:21:17.07]
the truth, we know that the
truth is different" and we
[00:21:19.17]
didn't find any of, we didn't
get any of that out of this kind
[00:21:22.33]
of testimony. So I wanna really
repeat on this - cause as a
[00:21:26.07]
policy guy this was incredibly
important to me [coughing] The
[00:21:28.80]
White House policy is to
disclose to vendors. And you can
[00:21:32.83]
scoff, and I'm okay with that,
but for policy guy that's about
[00:21:36.70]
as strong as it gets. The
president himself made this
[00:21:40.20]
decision and then he didn't just
make the decision he said "I
[00:21:44.67]
will have my personal people
that are beholden to me as the
[00:21:47.90]
national security council staff,
review this." [pause] Uhm, and
[00:21:54.87]
so that, and again, it can get
stronger but this is really
[00:21:58.23]
strong in Washington, in
Washington DC terms. But when
[00:22:02.40]
this was coming out it was
pretty, [chuckle] there were
[00:22:05.83]
some exceptions that struck us
and it's people like Kim Z and
[00:22:08.93]
others saying that "Well, yeq,
the default policy is to
[00:22:13.00]
disclose but if you carve out
exceptions for national security
[00:22:16.70]
and law enforcement, what the
hell have you done?!" Right?
[00:22:19.43]
Those are exception you can
drive a truck through, uhm, so,
[00:22:25.43]
so really I was extremely
skeptical at this stage. Cause
[00:22:29.03]
we know, I mean, all of us have
seen what happens when you have
[00:22:32.07]
that kind of exception, what the
intelligence community can do
[00:22:35.27]
with it,right? They're go
[chuckle] they're gonna play it
[00:22:36.97]
to the edge... [laughter] But we
did get three more breakthroughs
[00:22:41.47]
that really made a significant
difference in understanding
[00:22:44.30]
those exceptions. One,
heartbleed. [pause] [background
[00:22:49.87]
noise] So, uhm, Bloomberg
reporter wrote a story that said
[00:22:54.73]
"NSA knew...", he had some
confidential sources that said
[00:22:59.53]
"NSA knew about heartbleed" and
that story came out. [cough]
[00:23:04.67]
Couple days later the New York
Times, uhm, David Sanger [cough]
[00:23:11.57]
[pause] reacted to that story
and he was able to get the White
[00:23:15.40]
House, sorry, to get the NSA to
publicly deny the Bloomberg
[00:23:20.63]
story. This was unprecedented to
get an intelligence community
[00:23:24.60]
agency to talk on the record
about the about their
[00:23:26.60]
intelligence collection ability.
They would always sit back and
[00:23:30.10]
say "We will not confirm or
deny", cause they don't wanna
[00:23:32.07]
get in this place. It was
stunning that NSA came out and
[00:23:35.73]
said, "Look, we had no idea
about this" [cough] and I, I
[00:23:40.63]
suspected that they would keep
this one for reasons we'll talk
[00:23:43.03]
about in a second. They came out
and said "We didn't know about
[00:23:45.27]
this", uhm, you see, the, the
uh, the IC on the record to the
[00:23:48.20]
officer director of national
intelligence came out and said
[00:23:50.97]
"We didn't know about this - the
Bloomberg story is false!". Uhm,
[00:23:54.30]
or they didn't get, you know,
they didn't talk to the right
[00:23:58.07]
folks. 17 days after that
Bloomberg story breaks we really
[00:24:03.30]
get a fantastic set of
information - this White House
[00:24:07.50]
cyber guy, the president cyber
advisor, uhm, publishes a blog,
[00:24:11.77]
uhm, on "White House dot gov",
that says we didn't know, and
[00:24:18.23]
moreover he really gives us a
sign in on what they do and how
[00:24:22.03]
they operate within the White
House. He leads out these
[00:24:26.13]
decision criteria [pause] - how
much is it used? How bad is the
[00:24:31.33]
vulnerability if it's not
patched? How much harm could
[00:24:34.53]
they to do us? Uhm, if someone
was using this vuln against us,
[00:24:38.13]
how likely is it that we would
know ourselves? Uhm, if we
[00:24:41.43]
really need this vulnerability
for intelligence, I mean, is
[00:24:43.87]
this something that, uhm, you
know, we need to know if
[00:24:47.33]
Russia's planning a secret
nuclear strike on us? Or is this
[00:24:50.30]
just a kind of a routine kind of
bug that might not be that
[00:24:53.27]
useful? Uhm, this number 6 is
really important for reasons
[00:24:56.30]
I'll come back, could we use it
for short period before we
[00:25:00.20]
disclose it? And to me, that's
that's an important one we'll
[00:25:02.77]
come back, we'll come back to...
Uhm, and can be, you know, has
[00:25:05.97]
anyone else found it and can
this, can this get patched? Now,
[00:25:10.93]
that strikes me a pretty decent
way of going about this. It's
[00:25:15.23]
not a bad analytical way ask, of
saying "What are the important
[00:25:20.07]
questions that we need to
answer? What's the process by
[00:25:23.17]
which we're gonna try and get
ans, answers to these? So,
[00:25:25.83]
again, as a policy guy I read
this, I was floored that, that
[00:25:29.30]
the White House was willing to
talk about this, this much depth
[00:25:31.73]
at it and I was really pleased,
that I, I couldn't think of any
[00:25:34.63]
additional questions to add in
here. So it seemed to me to be a
[00:25:37.50]
decent way of going about it.
Uhm, the second breakthrough,
[00:25:41.63]
uhm, I dunno if EF, EFF is here
but thank you ... [chuckle] EFF
[00:25:46.37]
did a fantastic job, uhm, doing
a foyer request and follow up
[00:25:50.47]
lawsuits for some, for some of
these key documents on the
[00:25:53.07]
vulnerabilities' equities
process. Uhm, and so, uh, this
[00:25:58.07]
[00:26:03.67]
footnote two, you can go look,
you can go look at these
[00:26:05.00]
documents again, maybe you come
to different conclusions than we
[00:26:07.00]
did. Uhm, you, you can see from
that, from that one, it's, it's
[00:26:08.37]
decently well redacted but still
we were able to get a lot
[00:26:09.70]
details out of the process
thanks to EFF. [cough]
[00:26:12.57]
Breakthrough number three, uhm,
the NSA came out with some more
[00:26:15.17]
information, uhm, on 30 October
and they said "91% of
[00:26:20.17]
[00:26:22.57]
vulnerabilities that went
internal NSA process over the
[00:26:27.30]
history of the NSA process were
disclosed to the vendor. And out
[00:26:32.80]
of the 9% that's the remainder
that includes at least some that
[00:26:37.43]
they vendor discovered before
NSA had a chance to disclose".
[00:26:42.77]
Uhm, now, I'm sorry, that's
historically including all vulns
[00:26:49.13]
at least back to 2010, not, not
2020. [laughter] Uh, the, uhm,
[00:26:54.13]
[00:26:56.23]
and now this is only NSA, this
isn't all the US government
[00:26:59.40]
vulnerabilities, this is, this
is just within the NSA process.
[00:27:01.97]
But again, we are starting to
really see a lot of transparency
[00:27:05.70]
that was coming out of the
government and the government on
[00:27:07.53]
this. And, but I know a lot of
you are saying 91% [tlrrp] "How
[00:27:12.17]
can you say 91%, how can you
know any of this is true?". So
[00:27:15.87]
in the next part we'll start
getting into, uhm, uh, these
[00:27:19.30]
assessments and can we really
know if the, if, uhm, any of
[00:27:23.30]
this is true, can we prove what
they're saying? Can we
[00:27:27.17]
disapprove what they're saying?
So from 2014 to present, this is
[00:27:30.83]
what it looks like. On the, the
parts highlighted are the parts
[00:27:34.77]
that have changed since the
previous version of the slide.
[00:27:38.27]
So the, the top yellow one, uhm,
now the equities review board is
[00:27:44.73]
run by the White House, uhm,
also [pause] The, the way to
[00:27:49.73]
[00:27:52.93]
appeal is much clearer because
once it's in the White House,
[00:27:57.73]
once it's in the NSC, everybody
understands the rule of appeal
[00:28:01.50]
then. If you don't like what
happened at, at this level it
[00:28:05.90]
can go to something called, uhm,
it can go up to the next big
[00:28:10.00]
level would be a deputy's
committee. So that would be the
[00:28:13.07]
deputy secretary of the
treasury, deputy secretary of
[00:28:15.30]
defense, deputy secretary DHS,
uhm... And this deputy's
[00:28:18.93]
committee's where the real
decisions get made. And so if
[00:28:21.33]
you don't like,and if you think
the decision went against you
[00:28:23.63]
and the ERB either way you can
say "I'm gonna take it to the
[00:28:28.10]
deputy". And that's the same way
you appeal anything that's a
[00:28:32.73]
national security- or a homeland
security decision. So all of a
[00:28:35.73]
sudden it became a lot clearer
on what that appeals process was
[00:28:38.30]
gonna be. [clicking noise] So
what we've learnt applies to all
[00:28:40.67]
and contractors, all vulns
whether discovered or bought.
[00:28:44.80]
This does not apply to
vulnerabilities that were known
[00:28:48.20]
prior to the policy coming out.
So that, that's an interesting
[00:28:51.70]
loophole. A new process is owned
by the White House and then, and
[00:28:55.90]
then, uh, again, uh, a subtle
inside the beltway point, uhm, I
[00:29:00.47]
was pleased that this was being
run by the cyber directorate
[00:29:03.43]
because they are predominantly a
defensive shop, uhm, this wasn't
[00:29:07.10]
being run, for example by the
intelligence part of the NSC or
[00:29:10.93]
the defence part of the NSC. If
it were either of those, then
[00:29:14.10]
they would probably have a
little bit more biased to wanna,
[00:29:16.03]
do wanna retain those things for
government use. Because it was
[00:29:19.27]
cyber, we're gonna see much more
of a balance. So what don't we
[00:29:23.70]
know? And I'm gonna cover all 5
of these, what didn't we know
[00:29:27.00]
from the breakthrough, the
breakthrough? So I'm gonna touch
[00:29:29.20]
all 5 of these. [pause] [thump]
FBI versus Apple by my reading
[00:29:35.90]
of the policy as a former White
House guy FBI shouldn't have had
[00:29:40.53]
to submit the iPhone if, iPhone
5 vulnerability. Uhm, based on
[00:29:45.13]
that, that, Michael Daniel
criteria that we talked about,
[00:29:47.87]
those, those, 8 or 9, those 8 or
9 elements - it certainly seems
[00:29:51.13]
to fit. It's certainly
widespread, uhm, we can
[00:29:55.07]
certainly imagine others using
these, uhm, FBI ended up
[00:29:59.03]
claiming contractual IP
restrictions. Officially FBI
[00:30:03.23]
only bought the use of the tool
for, what, a million- or -ish
[00:30:08.90]
dollars the reporter said? Uhm,
they don't, because they don't
[00:30:12.73]
actually know what the
vulnerability is they therefore
[00:30:16.10]
can not submit. Cause they don't
know... whomp, whomp....
[00:30:20.27]
[laughter] Uhm, to me it seems
to contravene pretty direct
[00:30:23.53]
presidential guidance, uhm, so
I'm gonna be very curious to see
[00:30:26.97]
if the White House is gonna
revamp the process to try and
[00:30:29.43]
say that "You can't do this kind
of exception, you can't do this
[00:30:32.03]
kind of end-around." Uhm, just
one side note, a few months ago
[00:30:35.30]
the FBI did inform Apple of an,
another vulnerability and they
[00:30:38.20]
use this entire VEP process, uh,
to go about and do it. I've
[00:30:42.23]
gotta, I've gotta bet, uhm, with
a, with a buddy, uhm, he put it
[00:30:45.87]
up on law fair that uhm, I, I
said that Apple would know
[00:30:49.23]
within a year about the
vulnerability. Uhm, my buddy
[00:30:51.83]
said no way Apple's gonna know
about this vulnerability in a
[00:30:54.07]
year - so we've got a dinner
riding on that. Okay, the big
[00:30:56.80]
question! The moment you've all
been waiting for....! How many
[00:30:59.80]
do they actually retain?
[laughter] And this was the real
[00:31:02.87]
thing that, I think, got my
students involved, uh, excited
[00:31:05.60]
about doing this was to answer
this question. This is what you
[00:31:08.20]
have waited for! [laughter] Not
hundreds or thousands, uhm, this
[00:31:12.50]
is prior to the invig, the
invigorated policy. I've got
[00:31:18.60]
moderate confidence that, uhm,
in the period up to 2014 they
[00:31:23.10]
were probably keeping dozens.
Not hundreds, not thousands, not
[00:31:27.77]
more than that. [cough] So,
here's the evidence, here's how
[00:31:30.80]
we get that - but I've only got
moderate confidence. [sigh] To
[00:31:34.80]
me, one of the most important
things in this was, uhm, the
[00:31:39.13]
revelation that we found out
that NSA keeps 20, that had a
[00:31:42.73]
budget of 25 point 1 million for
covert purchases of software
[00:31:47.20]
vulnerabilities. To me, that was
a, uhm, and I'll walk through,
[00:31:51.87]
I'll walk through this 25 point
1 and what that, what that meant
[00:31:54.23]
for me. Uhm, and, so, let's
unpack that, what does, what
[00:31:58.53]
does 25 point 1 maybe buy you?
So I did some assumptions.. I, I
[00:32:02.47]
don't think that, uhm, if I had
a budget like that, for finding
[00:32:05.90]
vulnerabilities, I don't think
that I would buy a bucket of
[00:32:07.80]
bugs... [laughter] Right... I'm
not just gonna go out there and
[00:32:09.97]
find simple ones that I can
kinda discover myself. Uhm, I
[00:32:13.07]
assume that there's probably
going to be some purchase for
[00:32:15.80]
non-commercial bugs, I'll talk
about that in a second. I would
[00:32:18.63]
suspect that they would tend
towards higher-value
[00:32:20.87]
vulnerabilities rather than,
rather than less expensive ones.
[00:32:24.77]
And, that 91% the NSA number
came out with was roughly
[00:32:28.43]
accurate. And,and, and I'll talk
about that right here. So can we
[00:32:32.73]
believe 91%? Uhm, Dickie George
who is the former, uhm,
[00:32:38.30]
technical director of the
defensive side of NSA, uhm,
[00:32:42.43]
info, [audience noise]
information assurance
[00:32:45.40]
directorate, uh, gave an
interview and he said "Retaining
[00:32:48.50]
was very rare" during his time,
and he's been doing it for over
[00:32:52.10]
15 years. Uhm, I showed these
slides to the former director of
[00:32:56.07]
NSA - general Hayden, uhm he
came in and saying "Yes this all
[00:32:59.67]
seems consistent with my time
there. Seems consistent with my
[00:33:03.23]
experience that we took defense
very seriously". Uhm, but keep
[00:33:06.33]
in mind this only applies to the
NSA, uhm, to really try and
[00:33:10.53]
prove or disprove this you'd
have to go out and try and talk
[00:33:13.80]
to vendors and find out how many
vulnerabilities NSA actually
[00:33:17.47]
tells them. And that was well
out of scope of what we could do
[00:33:20.60]
here, if you really wanna go
after it, I think you've gotta
[00:33:23.23]
try and go to the vendors and
get the actual numbers. So for
[00:33:26.00]
right now, I'm gonna take 91% as
accurate-ish and, uhm, it's
[00:33:29.87]
tough for me to get anything
real tight on it to prove it, I
[00:33:33.60]
can't yet, I can't yet disprove
it either. So, here's two
[00:33:36.53]
examples of what you might do
with 25 point 1 - uh you might
[00:33:39.73]
buy 250 important commercial
vul, vulnerabilities at a
[00:33:42.97]
hundred-k each; uhm, if you
assume 91% you end up with about
[00:33:48.10]
25 of those if you assume that
maybe CIA and justice were
[00:33:52.07]
getting similar numbers, you
discover about similar number,
[00:33:55.50]
you end up with 75... Uhm, even,
if we're off by a factor or 3
[00:34:00.87]
one this then you end up in the
low hundreds, with 125 ret,
[00:34:05.50]
retained. So it puts us into
hundreds but I can't, I couldn't
[00:34:10.53]
get to that, I couldn't get to
thousands of vulnerabilities
[00:34:12.67]
doing this. I think, and, based
on this dozens seems okay, maybe
[00:34:16.27]
low hundreds. But to me this is
a little bit too simplistic
[00:34:19.23]
version of what you might do
with 25 point 1 million dollars
[00:34:21.67]
to buy bugs. So example number
two, imagine we buy 12 critical
[00:34:27.03]
commercial vulnerabilities for a
million; 5 critical
[00:34:30.47]
non-commercial for a million,
right? If NSA could buy access
[00:34:35.37]
to a Russian air defense system
for a millions dollars - good
[00:34:40.00]
luck on 'em! [laughter] I, I, I
hope they don't do that
[00:34:42.47]
[chuckle]. Uhm, other major
vulnerabilities for 250k, if we
[00:34:45.73]
assume 91% that leaves us with
5, 5 retained. Uhm, assume other
[00:34:50.73]
agencies vulns that they
discover, we end up with 15,
[00:34:53.73]
again, even if we're off by a
factor of 3 we are in this
[00:34:57.63]
middle dozens kind, kind of area
on how many before the new
[00:35:02.43]
policy. So you can see why I'm
only moderate-confidence on
[00:35:06.13]
this, uhm, there's not that much
to go on. On one hand we've got
[00:35:11.13]
people who say that "This is
very rare, we default it towards
[00:35:13.43]
the defense 91%", on the other
hand we've got some evidence
[00:35:17.20]
like this 25 point 1, uhm, 25
point 1 million. [coughing] So
[00:35:21.83]
that was prior to 2014, we've
got much stronger evidence today
[00:35:25.80]
on how many they retain. Right
now, it looks like single
[00:35:29.53]
digits. [pause] I couldn't
believe this - everyone talked
[00:35:33.27]
to imagined that it was far
higher than that. People that
[00:35:36.47]
have been White House, people
that have been de, uh,
[00:35:38.73]
department of defense, and
pentagon officials all assumed
[00:35:41.27]
like you did - that is was
hundreds, if not thousands. And
[00:35:43.23]
I actually had pretty, pretty
high confidence in that
[00:35:46.70]
assessment. [coughing] Uh, press
reported earlier this year that
[00:35:50.10]
the government, that the White
House reviewed about a hundred
[00:35:52.10]
and only kept two. One of my
colleagues that was formerly
[00:35:55.03]
White House during this time, in
his blog on Apple FBI referenced
[00:35:59.20]
this - that matters to someone,
right? If someone that probably
[00:36:03.67]
know that, that knew the process
proved it to someone else that
[00:36:08.60]
referenced it in another, in
another new source. To me,
[00:36:11.43]
that's a good sign that we're on
about the right track. That an
[00:36:14.93]
insider was referencing this.
Uhm, Dinkie George, this guy
[00:36:18.67]
that was the NSA official
responsible said it was about 3
[00:36:22.80]
or 4 per year. Uhm, I was at NSA
in August, 2014. I had the NS,
[00:36:28.30]
uh, TAO and the IAD tech
director in the room and they
[00:36:31.63]
said "Up to this point, this
year we have retained none."
[00:36:34.83]
Now, that was about 9 months, 8
or 9 months into the new policy.
[00:36:39.07]
Uh, and I get told to my face it
was none. [pause] So, that's
[00:36:43.10]
interesting [coughing] but, we
wanted to say can we prove or
[00:36:46.20]
disprove that? So this is what
journalists say, and this is
[00:36:48.90]
what others say; this is what
executives in it said, uhm, but
[00:36:52.60]
can we prove, can we prove it or
even better can we disprove it?
[00:36:56.33]
So, one, I'm not seeing that
tension between bureaucracies
[00:36:59.13]
here, no one is coming out and
saying, "No, this is BS, uhm,
[00:37:03.90]
the intelligence community is
going around the vulnerabilities
[00:37:06.23]
equities process.". We're not
seeing that type of evidence,
[00:37:08.53]
right now. Uhm, that it seems
has happened in the past. Two,
[00:37:13.20]
it looks like there's only about
50 total 0days last year. So to
[00:37:19.20]
me a number from US government
that's in single digits or maybe
[00:37:23.17]
low double digits that seems
reasonable to me. If NSA is
[00:37:27.03]
keeping hundreds or thousands,
it doesn't seem right that we
[00:37:29.47]
would only be discovering 50 per
year when we've got so many
[00:37:31.73]
people looking. And that's from
every source! you know, from
[00:37:34.90]
what rush, all these Russian
groups are keeping, all these
[00:37:37.13]
China groups are keeping, from
what all the red team users are
[00:37:40.50]
using, uhm, so to me, if they're
only finding, we've only found
[00:37:44.77]
about 50 in the wild - single
digits sounds about right.
[00:37:48.03]
Again, uh, we tried to go into
the national vulnerability
[00:37:50.63]
database and see if we could see
any statistical anom, anomalies
[00:37:54.00]
of this, uhm, of the government
starting to release more
[00:37:57.43]
vulnerabilities into the system,
the NVD was terrible. We
[00:38:00.07]
couldn't, we couldn't figure out
anything at this point if
[00:38:02.27]
possible. Uhm, again, we didn't
see any, uhm, uh, we just could,
[00:38:06.87]
we tried to find conflicting
evidence, we tried to say "Prove
[00:38:10.93]
us wrong", you know, we sent it
to the EFF, we sent it to
[00:38:13.73]
others, no one came back with
anything that was significant
[00:38:16.87]
other than, other than, uhm,
modest changes to the slide.
[00:38:20.93]
Uhm, the last one went in was,
was a little, a little more
[00:38:25.33]
worrying. Uh, we said "Can we
figure out the total of US, of
[00:38:28.83]
government vulnerabilities as
disclo, disclosed?". Uh, Dickie
[00:38:32.27]
George said they discovered
about 15-hundred a year. If you
[00:38:35.23]
apply the 91% to that, uhm, that
gets you to the, that probably
[00:38:39.10]
puts you in the dozens-space.
But he might have been talking
[00:38:41.60]
about the process before it was
reinvigorated in 2014. So to me,
[00:38:45.80]
that's probably supporting
evidence for the, uh,for the
[00:38:47.87]
dozens. He also said that they
only retained about 3 or 4 a
[00:38:50.93]
year. And again, we tried to go
in and disprove, how large is
[00:38:55.17]
the arsenal? [pause] Moderate
confidence that we're, that
[00:38:59.53]
we're talking about dozens
[cough], uh, we haven't done
[00:39:03.53]
this fully, we haven't really
had the time to really do this
[00:39:06.30]
but you can do a Drake's
equation, right? If you're gonna
[00:39:10.30]
say how big is the arsenal,
these are the kinds of equations
[00:39:11.63]
you'd want and these are the,
these are factors that you would
[00:39:12.97]
have in that equation, right?
How many did the keep? How long
[00:39:14.30]
have they been keeping? How many
did they burn per year? How many
[00:39:16.40]
got discovered by vendors or by,
uhm, or by, or by other bad
[00:39:20.00]
guys? What's the shelf life of
a, of a buG? We went through,
[00:39:23.57]
when I went through this, I got
somewhere in around 50 0r 60,
[00:39:28.00]
when I did this... Uhm, again,
if we really tried to do this in
[00:39:31.90]
depth you might come up with a
different answer. The quote at
[00:39:34.77]
the bottom is from Michael
Daniel, the president's cyber
[00:39:36.43]
advisor, uhm, I, I was talking
about this talk yesterday with
[00:39:39.33]
Dark Tangent and he said, and he
gave me an idea that we haven't
[00:39:42.70]
even thought before. We actually
kinda know, there had been a, a
[00:39:45.40]
revelation about what TAO
capabilities were, and, so I,
[00:39:49.87]
added this last night. "It looks
like the NSA book of
[00:39:54.07]
capabilities had 50 pages that
each had one capability in it".
[00:39:57.67]
So, I thought that revelation
would be something that would
[00:40:01.60]
disprove that it was in the
dozens and it ended up being
[00:40:04.97]
right smack in the middle of
where our guess was! Now, again,
[00:40:08.10]
that was a book about
capabilities and not exploits
[00:40:10.70]
but to me that was, that was
really fascinating that it ended
[00:40:13.33]
up exactly the same place. I
thought that it was gonna have
[00:40:16.67]
hundreds. Okay, other nations
have about 30, have about, 30
[00:40:20.47]
other nations that have this,
uhm, the UK is the only one
[00:40:23.47]
that's even talked a little bit.
So love or hate US government -
[00:40:27.10]
we're the only ones that have
been anywhere near this
[00:40:29.03]
transparent. [audience noise]
Okay, other research questions -
[00:40:33.23]
so as others, others get
involved in this. Can we know,
[00:40:36.23]
how can we know our agency's
really submitting all their
[00:40:38.33]
vulnerabilities? Uhm, can
agencies use a vulnerability
[00:40:41.77]
while it goes through the
process? For that criteria, for
[00:40:46.17]
Michael Daniel, said, he's asked
"Can we use this, uhm, for a
[00:40:50.97]
little bit?". That leads me to
believe that they might not be
[00:40:53.70]
doing that, but I haven't, we
haven't found a great answer for
[00:40:56.33]
that. Uh, can we find anymore
direct measurement? And, most
[00:41:00.03]
importantly, what is the next
president gonna do? [audience
[00:41:03.83]
noise] Cause this is just done
but this president, and the next
[00:41:06.30]
president can come in there with
their own... [laughter] Okay,
[00:41:10.60]
recommendations, uhm, [cough]
two former White House officials
[00:41:13.47]
- Rob Knake and Ari Schwartz -
uhm, did a fantastic set of
[00:41:17.33]
recommendations. They did a
report on this process and that
[00:41:20.27]
was very helpful for us. Right
now, there's no room for
[00:41:23.20]
congress in this, right now this
is just a policy, that can be
[00:41:26.87]
stronger. It can be an executive
order or presidential directive.
[00:41:30.57]
Right now, once it goes through
the process it never gets
[00:41:32.60]
reviewed again, uhm, and these
guys said, you know, let's take
[00:41:35.70]
a look at that, let's look at
what the watchdogs can do - like
[00:41:38.60]
the inspector general, or the
privacy and civil liberties
[00:41:41.03]
oversight board. I would add to
that mandating no use of this
[00:41:44.67]
vulnerability until it's gone
through the process. [cough] And
[00:41:47.50]
that's, it doesn't seem like
it's specific, we need to add
[00:41:49.90]
that. Uhm, and I just think we
need other countries, especially
[00:41:54.30]
other democracies, like Great
Britain to get involved and, and
[00:41:58.93]
give their process as well. But
also countries like, uhm, like
[00:42:02.00]
The Netherlands, Australia, uhm,
there are great democracies that
[00:42:05.80]
aren't picking - recommendations
for the rest of us. [pause]
[00:42:09.80]
Normally in warfare if one sides
disarms themselves then all
[00:42:13.80]
they've done is disarm
themselves, right? If the US
[00:42:16.37]
said we're not gonna have
nuclear weapons everyone else
[00:42:18.80]
has nuclear weapons and we
haven't changed. This is the one
[00:42:21.67]
area where you dis, you can
disarm governments. Because once
[00:42:28.20]
that information goes to a
vendor - everybody is disarmed.
[00:42:32.20]
So if you are out discovering
vulnerabilities and you wanna
[00:42:35.30]
disarm governments around the
world - make sure you're telling
[00:42:38.20]
the vendor. Follow up if they're
not, not listening to you. I
[00:42:42.30]
think we need more attention on
this question amongst, amongst
[00:42:44.30]
the researchers and more foyer.
So we covered these four, we
[00:42:48.30]
covered these four areas, uhm, I
think it's a pretty decent
[00:42:51.47]
process on disclosing and
retaining but there's definitely
[00:42:55.53]
some improvements that we can
come up with the number that
[00:42:58.70]
they keep every year seems to be
much smaller than what I would
[00:43:02.23]
have ever guessed coming into
this. I was shocked, I assumed
[00:43:04.47]
it was in the hundreds, and it
looks like it used to be dozens
[00:43:08.23]
and now into the single digits.
The full arsenal seems to be in
[00:43:12.57]
the dozens but only moderate
conf, confidence in that, and
[00:43:17.00]
then a few areas for use to talk
about. Okay, here's the
[00:43:20.40]
references. I'll leave that up
for a little bit. I don't think,
[00:43:23.10]
we're not gonna have time for
questions,uhm, but, uhm, I'll
[00:43:26.13]
stick around afterwards and
I'll, I'll see you around here -
[00:43:28.73]
out in the hallway afterwards.
[audience noise] So, I know I
[00:43:33.73]
[00:43:37.57]
might not have convinced you...
[applause]
[00:43:39.83]